In-depth security news and investigation

Posts Tagged: bulletproof hosting

Nate Anderson at Ars Technica has a good story about how investigators tracked down “Virus,” the nickname allegedly used by a Romanian man accused by the U.S. Justice Department of running the Web hosting operations for a group that created and marketed the Gozi banking Trojan. Turns out, I’ve been sitting on some fascinating details about this hosting provider for many months without fully realizing what I had.

On Wednesday, federal prosecutors unveiled criminal charges against three men who allegedly created and distributed Gozi. Among them was Mihai Ionut Paunescu, a 28-year-old Romanian national accused of providing the gang “bulletproof hosting” services. Bulletproof hosting is an Underweb term for a hosting provider that will host virtually any content, from phishing and carding sites to botnet command centers and browser exploit kits. After I read the Ars story, I took a closer look at the Paunescu complaint (PDF), and several details immediately caught my eye.

For one thing, the feds say Paunescu was an administrator of powerhost.ro (virus@powerhost.ro). In December 2011, a source shared with KrebsOnSecurity several massive database dumps from that server, which had apparently been hacked. Included in that archive was a screenshot of the administration panel for the powerhost.ro server. It visually depicts many of the details described in the government’s indictment and complaint against Paunescu, such as how the BP provider was home to more than 130 servers, and that it charged exorbitant prices — sometimes more than 1,000 euros per month for a single server.

The above screenshot (which is a snippet taken from this full-screen version) shows that this server was used for projects that were “50%SBL,” meaning that about half of the properties on it were listed on the Spamhaus Block List (SBL), which flags Web sites that participate in malicious activity online, particularly sending or benefiting from spam and hosting malware. Some of the names chosen for the servers are fairly telling, such as “darkdeeds1,” “darkdeeds2,” “phreak-bots” and “phis1.” The data dump from powerhost.ro included multiple “drop” sites, where ZeuS and SpyEye botnets would deposit passwords, bank account information and other data stolen from tens of thousands of victim PCs.

Hacked and malicious sites designed to steal data from unsuspecting users via malware and phishing are a dime a dozen, often located in the United States, and are a key target for takedown by ISPs and security researchers. But when online miscreants seek stability in their Web projects, they often turn to so-called “bulletproof hosting” providers, mini-ISPs that specialize in offering services that are largely immune from takedown requests and pressure from Western law enforcement agencies.

Until recently, you more or less had gain access to and lurk on the right underground forums to be able to rent services from bulletproof hosting providers. These days, it’s becoming easier to find these badware havens advertising out in the open. Last week, I traced the activities of one particular service frequented by criminals back to a bulletproof provider whose slogan says it all: “You’ll Never Get Any Abuse From Us!”

Of course, just how insulated this particular provider’s services are and how much illicit activity you can get away with while using them depends largely on how much you’re willing to shell out each month. For example, an entry level “default bulletproof server” allows customers to host things like rogue online pharmacies, replica, gambling, and MP3 sites for $270 per month. But this service level bars customers from hosting nastier content, such as malware, spyware, adware, exploits, viruses, and phishing sites.

Upgrade to the “Super BulletProof Virtual Dedicated Servers in China” — and pay almost $500 a month — and the only activities that are prohibited are sending spam and hosting any type of porn.

The provider pictured here also upsells potential customers by offering a variety of handy add-on services. For extra coin each month, one can rent a bulletproof server with a license for XRumer, a black hat search engine manipulation tool that automates the registration of new Web forum accounts and the spamming of links on those forums, all in a bid to boost the search engine rankings of the spamvertized site. If you operate a blog and have had to deal with what appear to be automated, link-filled comments, chances are good that XRumer was involved in some way.

For a $20 one-time setup fee, your server will come pre-packaged with links for forums that XRumer is able to spam, including thousands of Web pages in top-level domains that are often given more ranking weight by search engines, such as .edu, .gov and .mil.

Have you seen:

Earn a Diploma from Scam U…Since the dawn of the Internet, tutorials showing would-be scammers how to fleece others have been available online. But for novices who can’t be bothered to scour the Net for these far flung but free resources, the tricks of the trade now can be learned through the equivalent of community college classes in e-thievery, or or via intensive, one-on-one online apprenticeships.